WordPress Trac: Ticket #16623: Authentication Unique Keys and Salts broke wp-config.https://core.trac.wordpress.org/ticket/16623
<p>
I've never seen this happen before but today I was installing WordPress and the Authentication Unique Keys and Salts broke the site during install.
</p>
<p>
<tt>define('NONCE_SALT', 'J6:6$c."Eec\_WQ:B2V \h 3,WZ?q&lt;O[uTYq_~(@+[^T@}M,}yq6JKT3)PgKqRd\');</tt>
</p>
<p>
I've attached a Dreamweaver screenshot where the code highlighter found the error, after replacing the <tt>J6:6$c."Eec\_WQ:B2V \h 3,WZ?q&lt;O[uTYq_~(@+[^T@}M,}yq6JKT3)PgKqRd\</tt> above with a clean salt, it worked again.
</p>
en-usWordPress Trachttps://core.trac.wordpress.org/chrome/site/your_project_logo.pnghttps://core.trac.wordpress.org/ticket/16623
Trac 1.0.1christopherrossWed, 23 Feb 2011 23:14:27 GMTattachment sethttps://core.trac.wordpress.org/ticket/16623
https://core.trac.wordpress.org/ticket/16623
<ul>
<li><strong>attachment</strong>
set to <em>Screen shot 2011-02-23 at 7.11.03 PM.png</em>
</li>
</ul>
<p>
Screenshot of error in text editor
</p>
Ticketdd32Wed, 23 Feb 2011 23:21:44 GMTcomponent, description, milestone changedhttps://core.trac.wordpress.org/ticket/16623#comment:1
https://core.trac.wordpress.org/ticket/16623#comment:1
<ul>
<li><strong>component</strong>
changed from <em>Upgrade/Install</em> to <em>WordPress.org site</em>
</li>
<li><strong>description</strong>
modified (<a href="/ticket/16623?action=diff&amp;version=1">diff</a>)
</li>
<li><strong>milestone</strong>
changed from <em>Awaiting Review</em> to <em>WordPress.org</em>
</li>
</ul>
<p>
Moving to WordPress.org - can be moved back for 3.2 after API change is done perhaps
</p>
<p>
The API is returning a slash at the end of the string, whilst that's legit, core doesn't escape the string, and appears to be using it as-is. The result is the closing quote is escaped, causing.. well.. what you've got there
</p>
Ticketdd32Wed, 23 Feb 2011 23:32:27 GMThttps://core.trac.wordpress.org/ticket/16623#comment:2
https://core.trac.wordpress.org/ticket/16623#comment:2
<p>
Upon some more checking.. The API shouldn't be returning slashes at all, or " both of which are in your keys..
</p>
<p>
You used the web-creation of wp-config.php correct? and WordPress 3.1 just did it all by itself? (Or did you manually create the config file, OR copy-paste the file contents it gave you?)
</p>
TicketOtto42Thu, 24 Feb 2011 02:28:45 GMThttps://core.trac.wordpress.org/ticket/16623#comment:3
https://core.trac.wordpress.org/ticket/16623#comment:3
<p>
Yes, after several runs, I can't get the secret key generator on .org to return any slashes at all, much less at the end of the string:
</p>
<p>
<a class="ext-link" href="http://api.wordpress.org/secret-key/1.1/"><span class="icon">​</span>http://api.wordpress.org/secret-key/1.1/</a>
</p>
<p>
Does core generate its own instead of hitting the API?
</p>
TicketsivelThu, 24 Feb 2011 02:57:56 GMThttps://core.trac.wordpress.org/ticket/16623#comment:4
https://core.trac.wordpress.org/ticket/16623#comment:4
<p>
During the install, if wp_remote_get cannot fetch the keys, it will fall back to using wp_generate_password:
</p>
<pre class="wiki">wp_generate_password( 64, true, true );
</pre><p>
wp_generate_password() does not however, generate backslashes (\). Possible characters are:
</p>
<pre class="wiki">abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
</pre><pre class="wiki">!@#$%^&amp;*()
</pre><pre class="wiki">-_ []{}&lt;&gt;~`+=,.;:/?|
</pre><p>
When I initially wrote the patch to add in the extra chars for this specific use I ran 100 tests against the APIs to find what characters it used, which is where this list has come from. But as mentioned it does not include any backslashes as shown in this bug report.
</p>
<p>
Are mu-plugins included during the install process, if they exist? Would be strange to have one there before install, but it may be possible for wp_generate_password() to be override since it is in pluggable.php.
</p>
TicketaaroncampbellThu, 24 Feb 2011 03:40:58 GMThttps://core.trac.wordpress.org/ticket/16623#comment:5
https://core.trac.wordpress.org/ticket/16623#comment:5
<p>
It also uses wp_generate_password id noapi is set. However, <tt>wp_generate_password</tt> doesn't allow for backslashes, and I just ran a quick test by fetching <a class="ext-link" href="http://api.wordpress.org/secret-key/1.1/salt/"><span class="icon">​</span>http://api.wordpress.org/secret-key/1.1/salt/</a> 1000 times and got no backslashes there either.
</p>
TicketOtto42Thu, 24 Feb 2011 04:28:52 GMThttps://core.trac.wordpress.org/ticket/16623#comment:6
https://core.trac.wordpress.org/ticket/16623#comment:6
<p>
The API call actively replaces backslashes with pluses. It can't return them in the keys.
</p>
TicketnacinThu, 14 Jun 2012 17:30:55 GMTstatus changed; resolution set; milestone deletedhttps://core.trac.wordpress.org/ticket/16623#comment:7
https://core.trac.wordpress.org/ticket/16623#comment:7
<ul>
<li><strong>status</strong>
changed from <em>new</em> to <em>closed</em>
</li>
<li><strong>resolution</strong>
set to <em>invalid</em>
</li>
<li><strong>milestone</strong>
<em>WordPress.org</em> deleted
</li>
</ul>
Ticket